Attacks and Counter Defense Mechanisms for Cyber-Physical Systems

1

Taha HassanLulu WangCS 5214 Fall 2015

Overview

● Survivability of cyber-physical systems● Failure types (attrition, pervasion, exfiltration)● Case Study: Reliability in the electrical grid● Optimal design conditions and tradeoffs

2

Survivability: System Model

● ‘Smart’ grid conceptual model

● Centralized management nodes

● Sensors● Distributed control nodes● Actuators● Communications Links

3

Survivability: Failure Types

4

● Attrition failure (direct mission impact)● Pervasion failure (direct means to damage)● Exfiltration failure (secretion of grid data to

instrument attack)

Survivability: Attacker Behavior

5

● Surveilling attacker ● Long-term operations (trade secrets analogy)● CM nodes, sensors, comm. links● Need for discretion

● Destructive attacker ● Short-term disruption● Actuators, CM nodes, control nodes● Discretion not a concern

Survivability: Countermeasures

6

● Intrusion detection ● Ｐ fnx, Ｐ fpx

● Optimal detection interval Ｔ IDSX ● Data leak rate control

● Ｔ TX,Ｔ sensing ● Redundancy

● Redundancy factor αx

● INITx = MINx ✕ αx

7

● System behavior description based on SPN modeling

● Three devices represented by nodes: S,C,ASensors, Control nodes and Actuators

Performance Model

8

PATTRIT=1, sys. failure, too many C and A been evicted & compromised

PLEAK=1, sys. failure, compromised S & C exfiltrating too much data

PPERVADE=1, sys. failure, a high ratio of uncompromised C & A been compromised

Performance Model

9

Performance Model

Performance Model

10

Performance Model

System initiation

INITx nodes

x ∈{S,C,A}, for sensors, control nodes, and actuators, respectively.

all nodes are uncompromised

place PGOODx holds tokens

one token representing one nodes

11

Performance Model: The first event

Transitions TCPx model this event:

attackerUncompromised nodes compromised

TCPx: attacker compromises a device

The time of this process:a random variable exponentially distributed

Node: from good to malicious Place: node been moved from PGOODx to PBADx

12

Performance Model: The second event

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc, na, 0, 0, 0, 0, 0), an uncompromised sensor node is compromised, a token will flow from PGOODS to PBADS, and the resulting state is (0, ns − 1, nc, na, 1, 0, 0, 0, 0). 13

Performance Model: The second event

Transitions TFPx model this event:Uncompromised nodes may be incorrectly evicted

TFPx: the detection sys. IDS falsely detects a node

Node: an uncompromised node be removed from place PGOODx

Place: remove from PGOODx

14

Performance Model: The third event

15

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc, na, 0, 0, 0, 0, 0) the IDS misdetects and evicts an uncompromised actuator, a token will flow from PGOODA, and the resulting state is (0, ns, nc, na − 1, 0, 0, 0, 0, 0).

Performance Model: The third event

Transitions TIDx model this event:compromised nodes be correctly evicted

TIDx: IDS correctedly detectes a compromised node as compromised

Node: The # of unevicted compromised nodes - 1

Place: one token in place PBADx is to be removed

16

Performance Model: The fourth event

17

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc−1, na, 0, 1, 0, 0, 0) the IDS detects and evicts a compromised control node, a token will flow from PBADC, and the resulting state is (0, ns, nc − 1, na, 0, 0, 0, 0, 0).

Performance Model: The fourth event

Performance Model: The fifth event

TATTRITx models the sys. attrition failure eventTATTRITx: fired by EATTRITx, uncompromised control node count is lesser than the minimum count

Node:one token set in place PATTRIT

Place: PATTRIT

When TATTRITx is enabled:the attrition failure condition is true enabling function returns true

18

Performance Model: The fifth event

19

Table V lists the enabling functions governing the firing of TATTRITx.

Performance Model: The fifth event

20

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)TCPx: a token been moved from PGOODx to PBADx TFPx: remove a token from PGOODx

Performance Model: The sixth event

TPERVADEx models this sys. pervasion failure eventTPERVADEx: fired by EPERVADEx, Byzantine failure condition applied to nodes

Node: when nodes from PGOODx transimit to PBADx, when nodes are evicted from PGOODx

Place: PERVADE set 1

Byzantine failure: when at least 1/3 of the control nodes or actuators are compromised (PBADx) , the system suffers from a byzantine failure.

21

Performance Model: The sixth event

22

The enabling functions of TPERVADEx with x {C,A} are defined in TableV governing the firing of ∈TPERVADEx.

Performance Model: The sixth event

23

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)TCPx: a token been moved from PGOODx to PBADx PPERVADE: placed by 1

Performance Model: The seventh event

TLEAKx models this system exfiltration failure event

TLEAKx: attacker secretes enough data about victim sensor/control node

Node: Bad nodes (odes from PBADx) transmit the data out of the system, criminals hack the system and steal the intelligence away

Place: PLEAK set 1

countermeasures: data leak rate controls 24

Performance Model: The seventh event

25

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)PLEAK: placed by 1

Performance Analysis

● Model Parameterization● Results

26

Model Parameterization

27

Model Parameterization

The parameters are from input and design parameters

Design parameter is one that the system manager can choose.Input parameter is one that the operating environment dictates. λT means the transition rate of transition T

28

Model Parameterization

29

Model Parameterization: Physical explanations

30

TCPx: Attracker compromises a device|PGOODx| : the # of uncompromised nodes of device type xλx : the per-node compromise rate for device type x.

The more uncompromised devices, the more compromise opportunities

Model Parameterization: Physical explanations

31

TIDx: IDS ( IDS, intrusion detection system) detects a compromised device : rate that bad nodes are detected and forced to leave the place correctly

|PBADx| : the # of compromised nodesPfnx : the false negative probability ( : the IDS detection interval

In every TIDSx interval,1−Pfnx = probability (a bad node be correctly identified as a bad node)

Model Parameterization: Physical explanations

32

TLEAKS: attacker secretes a substantial amount of victim sensor dataλTLEAKS: the rate that TLEAKS transition happensthe first term is for a compromised sensor node to rotate in for reporting sensing datathe second term is for the rate at which sensing reporting occursthe third term is for the maximum number of leaks the system can tolerate before an exfiltration failure occursMAXLEAKS : an input parameter, the maximum number of leaks the system can tolerate

Model Parameterization: Physical explanations

33

TLEAKC: attacker secretes a substantial amount of victim control node dataTTX : the data transmission rate per node allowable

MAXLEAKC : an input parameter, the maximum data amount leaked beyond which an exfiltration failure occurs

Model Parameterization: Physical explanations

34

TFPx: IDS falsely detects a device: the rate that good nodes suffer from false positives

|PGOODx| : the # of uncompromised nodes

: the false positive probability that a good node of type x will be misidentified as a bad node

: the IDS detection interval

Results: Effects of detection interval Ｔ IDSX

35

● Ｐ fn < Ｐ fp : Mislabeling healthy nodes more probable so lesser Ｔ IDSx implies faster monotonic failure

● Exfiltration and pervasion failures depend on the ‘bad node ratio’, hence an optimal MTTF at optimal node ratio

Results: Effects of false pos./neg. prob. Ｔ IDSX

36

● Ｐ fp : Rate of mislabeling healthy nodes more probable so lesser Ｔ IDSx implies faster monotonic failure

● Similar trends for Ｐ fn. MTTF is less sensitive to it though.

Results: Effects of redundancy factor (αc) Ｔ IDSX

37

● Attrition and pervasion: redundancy improves MTTF (bad node ratio decreases with redundancy)

● Exfiltration: redundancy limits MTTF (Note that transition rate for TLEAKC changes with num_bad_nodes, for TLEAKS, it’s bad_node_ratio)

Questions.

38